Stealing someone’s virtual identity is now easier than stealing candy from a baby.
Firesheep, an add-on for Mozilla’s Firefox Web browser, allows people to “side-jack” the online accounts of others connected to the same Wi-Fi network. It adds a sidebar to the Firefox browser window. When the Firesheep user logs on to a website, the account information of anyone else connected to the same wireless network and logged on to that site will appear in a list on the Firesheep sidebar. By clicking someone’s account information in the sidebar, the Firesheep user can effectively hijack that person’s account.
Ohio State’s wireless network uses WPA2 encryption to provide security to its users. But that encryption does not completely protect people from the add-on, which has been downloaded nearly 1 million times, according to the personal blog of Eric Butler, the freelance Web developer who created Firesheep.
“A password-protected (WPA2) wireless network or even a wired network just requires that attackers perform one more step to carry out this attack,” Butler said in a blog entry Oct. 26. “It’s not very helpful to just enable WPA2. … Doing so might actually give users a dangerously false sense of security.”
Information technology experts agree.
“There could possibly be students or other people on our network that are playing around with a tool like this,” said Shawn Sines, information technology specialist for Security Planning and Outreach at OSU. “If students aren’t making the right choices when they go to these websites to protect themselves … then they are still basically exposed to this risk.”
The Office of the Chief Information Officer posted several tips on the BuckeyeSecure website to help students stay safe on the Internet. But each recommendation comes at a cost.
Sines said students should use only secure versions of websites to ensure their protection. He advised students to use a Firefox add-on called HTTPS Everywhere, which is meant to provide users secure connections to every website they visit.
But HTTPS Everywhere limits people’s access to certain websites that are not equipped to handle secure traffic, said Joe Bazeley, information security officer for IT Services at Miami University.
“It’s a much more complicated decision than saying, ‘If you do this, then you’ll be safe,'” Bazeley said.
Many popular websites, including Facebook, Twitter and Foursquare, provide their users a secure connection when they log on to their accounts, but after users log in, their information is vulnerable.
“They present you a secure front door where you come in … and then as soon as they have done that, they shift you back over to an insecure area,” Sines said.
When people log on to a website that requires a password, the website sends them a “cookie,” a text file that stays on their computers to keep them logged in. The website checks those people’s identities whenever they do something on the site, such as write on someone’s Facebook wall. To verify the users’ identities, the website checks to see if they have the cookie.
Firesheep allows people to intercept others’ cookies, giving them access to those people’s accounts.
“As long as you have the cookie, then the website feels like you are that person,” Sines said.
Zach Kaufman, a third-year in mechanical engineering, said he regularly logs on to Facebook using OSU’s wireless network and was unaware that his security could be at risk.
“I think it’s cool that people have the knowledge to create something like” Firesheep, he said. “But I don’t think that it’s right that they should be able to use it.”
Kaufman said he is not worried about someone side-jacking his Facebook account and will continue to log on to Facebook despite the security risk.
Although the add-on appears malicious to many, Butler’s reason for developing Firesheep was to expose the lack of security on the Internet, his blog says. He said the Internet security issues will not be resolved until all websites properly encrypt their traffic.
“True success will be when Firesheep no longer works at all,” Butler said in his blog.